Windows Analysis Report
ITC590-Script 3 V2-P-2024.exe

Overview

General Information

Sample name: ITC590-Script 3 V2-P-2024.exe
Analysis ID: 1522423
MD5: ae50e6bab627b7a39408186e75821ea3
SHA1: 69ce995fc2e079c7a7afc9f327a5949356ef6223
SHA256: ca7788bea6909aab6f62b8218025f2b6050c27ffac885e457c60fdc57b2c2d67
Tags: exeuser-Dyrockful
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Found pyInstaller with non standard icon
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ITC590-Script 3 V2-P-2024.exe ReversingLabs: Detection: 13%
Source: ITC590-Script 3 V2-P-2024.exe Virustotal: Detection: 27% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmp, select.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmp, python312.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmp, unicodedata.pyd.0.dr
Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650421083.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650421083.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmp, _socket.pyd.0.dr
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D689280 FindFirstFileExW,FindClose, 0_2_00007FF77D689280
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00007FF77D6883C0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D689280 FindFirstFileExW,FindClose, 1_2_00007FF77D689280
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 1_2_00007FF77D6883C0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049956 - Severity 1 - ET MALWARE Test CnC Domain in DNS Lookup (test .com) : 192.168.2.4:55846 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049957 - Severity 1 - ET MALWARE X CnC Domain in DNS Lookup (test .com) : 192.168.2.4:55846 -> 1.1.1.1:53
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE133365E8 memset,recvfrom, 1_2_00007FFE133365E8
Source: global traffic DNS traffic detected: DNS query: malicious-site.net
Source: global traffic DNS traffic detected: DNS query: suspicious-domain.org
Source: global traffic DNS traffic detected: DNS query: test.com
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000002.2671212787.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000002.2671212787.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000002.2671212787.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: unicodedata.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000002.2671212787.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000002.2671212787.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E307E000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1652602238.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1654542163.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.1658755684.000001AC6F230000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F0E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F1A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F0E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665778516.000001AC6F450000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665778516.000001AC6F450000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F15C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665220554.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663055050.000001AC6D8EF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665311859.000001AC6F0E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665220554.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663055050.000001AC6D8EF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662185314.000001AC6D8C3000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664033273.000001AC6D8CC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665220554.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663055050.000001AC6D8EF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2662498447.000001AC6D8C6000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664062665.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665171674.000001AC6D8CD000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663467952.000001AC6D8F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2665778516.000001AC6F450000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: https://peps.python.org/pep-0205/
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmp, python312.dll.0.dr String found in binary or memory: https://peps.python.org/pep-0263/
Source: libcrypto-3.dll.0.dr String found in binary or memory: https://www.openssl.org/H
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667195570.00007FFDFB769000.00000008.00000001.01000000.00000004.sdmp, python312.dll.0.dr String found in binary or memory: https://www.python.org/psf/license/
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmp, python312.dll.0.dr String found in binary or memory: https://www.python.org/psf/license/)
Detected potential crypto function
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D681000 0_2_00007FF77D681000
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A6964 0_2_00007FF77D6A6964
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6889E0 0_2_00007FF77D6889E0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A5E7C 0_2_00007FF77D6A5E7C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D69DEF0 0_2_00007FF77D69DEF0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D699EA0 0_2_00007FF77D699EA0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D69E570 0_2_00007FF77D69E570
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D691D54 0_2_00007FF77D691D54
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D695D30 0_2_00007FF77D695D30
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6935A0 0_2_00007FF77D6935A0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A1874 0_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6980E4 0_2_00007FF77D6980E4
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A08C8 0_2_00007FF77D6A08C8
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A40AC 0_2_00007FF77D6A40AC
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D698794 0_2_00007FF77D698794
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D691F60 0_2_00007FF77D691F60
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D691740 0_2_00007FF77D691740
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A9728 0_2_00007FF77D6A9728
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D689800 0_2_00007FF77D689800
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D69DA5C 0_2_00007FF77D69DA5C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D68A2DB 0_2_00007FF77D68A2DB
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D692164 0_2_00007FF77D692164
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D691944 0_2_00007FF77D691944
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6939A4 0_2_00007FF77D6939A4
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D68A47B 0_2_00007FF77D68A47B
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A08C8 0_2_00007FF77D6A08C8
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A6418 0_2_00007FF77D6A6418
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D68ACAD 0_2_00007FF77D68ACAD
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D691B50 0_2_00007FF77D691B50
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A3C10 0_2_00007FF77D6A3C10
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D692C10 0_2_00007FF77D692C10
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A5C00 0_2_00007FF77D6A5C00
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D681000 1_2_00007FF77D681000
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A6964 1_2_00007FF77D6A6964
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A5E7C 1_2_00007FF77D6A5E7C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D69DEF0 1_2_00007FF77D69DEF0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D699EA0 1_2_00007FF77D699EA0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D69E570 1_2_00007FF77D69E570
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D691D54 1_2_00007FF77D691D54
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D695D30 1_2_00007FF77D695D30
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6935A0 1_2_00007FF77D6935A0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A1874 1_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6980E4 1_2_00007FF77D6980E4
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A08C8 1_2_00007FF77D6A08C8
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A40AC 1_2_00007FF77D6A40AC
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D698794 1_2_00007FF77D698794
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D691F60 1_2_00007FF77D691F60
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D691740 1_2_00007FF77D691740
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A9728 1_2_00007FF77D6A9728
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D689800 1_2_00007FF77D689800
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D69DA5C 1_2_00007FF77D69DA5C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D68A2DB 1_2_00007FF77D68A2DB
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D692164 1_2_00007FF77D692164
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D691944 1_2_00007FF77D691944
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6889E0 1_2_00007FF77D6889E0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6939A4 1_2_00007FF77D6939A4
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D68A47B 1_2_00007FF77D68A47B
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A08C8 1_2_00007FF77D6A08C8
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A6418 1_2_00007FF77D6A6418
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D68ACAD 1_2_00007FF77D68ACAD
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D691B50 1_2_00007FF77D691B50
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A3C10 1_2_00007FF77D6A3C10
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D692C10 1_2_00007FF77D692C10
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A5C00 1_2_00007FF77D6A5C00
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE00451880 1_2_00007FFE00451880
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE004512F0 1_2_00007FFE004512F0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE133310C0 1_2_00007FFE133310C0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE13333B20 1_2_00007FFE13333B20
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE1A457CA0 1_2_00007FFE1A457CA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: String function: 00007FF77D682710 appears 104 times
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: String function: 00007FF77D682910 appears 34 times
PE file contains executable resources (Code or Archives)
Source: unicodedata.pyd.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650421083.00000177E3071000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651027861.00000177E3071000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe Binary or memory string: OriginalFilename vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667446336.00007FFDFB891000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenamepython312.dll. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667772363.00007FFE13343000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667686800.00007FFE00564000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667946511.00007FFE1A469000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs ITC590-Script 3 V2-P-2024.exe
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667854016.00007FFE148E6000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs ITC590-Script 3 V2-P-2024.exe
Source: classification engine Classification label: mal64.winEXE@3/11@5/10
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802 Jump to behavior
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ITC590-Script 3 V2-P-2024.exe ReversingLabs: Detection: 13%
Source: ITC590-Script 3 V2-P-2024.exe Virustotal: Detection: 27%
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File read: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe"
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Process created: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe"
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Process created: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: python3.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: ITC590-Script 3 V2-P-2024.exe Static file information: File size 7247553 > 1048576
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656301203.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667822402.00007FFE148E3000.00000002.00000001.01000000.00000007.sdmp, select.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666857105.00007FFDFB5F2000.00000002.00000001.01000000.00000004.sdmp, python312.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1656477874.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667502786.00007FFE0055F000.00000002.00000001.01000000.00000009.sdmp, unicodedata.pyd.0.dr
Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651236079.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651445478.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650610519.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650421083.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1650421083.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667912458.00007FFE1A463000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: ITC590-Script 3 V2-P-2024.exe, 00000000.00000003.1651624451.00000177E3071000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2667736797.00007FFE13339000.00000002.00000001.01000000.00000006.sdmp, _socket.pyd.0.dr
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ITC590-Script 3 V2-P-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: VCRUNTIME140.dll.0.dr Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr Static PE information: section name: _RDATA
Source: libcrypto-3.dll.0.dr Static PE information: section name: .00cfg
Source: python312.dll.0.dr Static PE information: section name: PyRuntim

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Process created: "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe"
Drops PE files
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802\python312.dll Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI68802\VCRUNTIME140.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6876C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError, 0_2_00007FF77D6876C0
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\python312.dll Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68802\_decimal.pyd Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe API coverage: 4.5 %
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D689280 FindFirstFileExW,FindClose, 0_2_00007FF77D689280
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00007FF77D6883C0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D689280 FindFirstFileExW,FindClose, 1_2_00007FF77D689280
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6A1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF77D6A1874
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D6883C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 1_2_00007FF77D6883C0
Source: ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2663088912.000001AC6F651000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000003.2664800905.000001AC6F660000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 3 V2-P-2024.exe, 00000001.00000002.2666127202.000001AC6F668000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D69A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF77D69A614
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A3480 GetProcessHeap, 0_2_00007FF77D6A3480
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D69A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF77D69A614
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D68C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF77D68C8A0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D68D30C SetUnhandledExceptionFilter, 0_2_00007FF77D68D30C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D68D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF77D68D12C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D69A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF77D69A614
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D68C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FF77D68C8A0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D68D30C SetUnhandledExceptionFilter, 1_2_00007FF77D68D30C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FF77D68D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF77D68D12C
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE00452A70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FFE00452A70
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE00453028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FFE00453028
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE13332D70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FFE13332D70
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE13333328 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FFE13333328
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE148E14E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FFE148E14E0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE148E1AA0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FFE148E1AA0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE1A460AA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FFE1A460AA8
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Process created: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe "C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A9570 cpuid 0_2_00007FF77D6A9570
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68802\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D68D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF77D68D010
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 0_2_00007FF77D6A5E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF77D6A5E7C
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE133350C0 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct, 1_2_00007FFE133350C0
Source: C:\Users\user\Desktop\ITC590-Script 3 V2-P-2024.exe Code function: 1_2_00007FFE133360CC _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct, 1_2_00007FFE133360CC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522423 Sample: ITC590-Script 3 V2-P-2024.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 64 21 test.com 2->21 23 suspicious-domain.org 2->23 25 malicious-site.net 2->25 33 Suricata IDS alerts for network traffic 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 AI detected suspicious sample 2->37 39 Found pyInstaller with non standard icon 2->39 7 ITC590-Script 3 V2-P-2024.exe 12 2->7         started        signatures3 process4 file5 13 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 7->13 dropped 15 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 7->15 dropped 17 C:\Users\user\AppData\Local\...\python312.dll, PE32+ 7->17 dropped 19 7 other files (none is malicious) 7->19 dropped 10 ITC590-Script 3 V2-P-2024.exe 7->10         started        process6 dnsIp7 27 172.16.177.209, 49733, 80 ATT-INTERNET4US Reserved 10->27 29 172.16.237.12, 49732, 80 ATT-INTERNET4US Reserved 10->29 31 8 other IPs or domains 10->31
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
172.16.69.225
172.16.177.209
172.16.77.202
172.16.63.22
172.16.246.98
172.16.9.240
172.16.97.133
172.16.56.13
172.16.237.12
172.16.89.192

Contacted Domains

Name IP Active
test.com 34.224.149.186 true
malicious-site.net unknown unknown
suspicious-domain.org unknown unknown